Today it's raining.
I just follow changes to the byte 2F9 in "explorer.exe" in Windows 10 build 14393.rs1_release_inmarket.170303 - 1614. But I think that would be the same in all versions of this build 14393.
The attached file contains the trace of the windbg and my comments in french.
I translate the most important here.
Getting started: check the address and the 'windows bytes' with spy ++ to the window "Shell_TrayWnd".
Start windbg. Kill Explorer.exe. In windbg, open the program "explorer.exe".
compute the address of the byte: the basis is provided by spy ++ in the 'windows bytes'. Add 2F9 for build 14393.
Note: I don't remember if I explained how to find this address.
Place the breakpoint:
ba w 1 00007ff6'01e76b59
and GO (g in the file)
explore starts and loads more other dll.
If the address is correct then the breakpoint is triggered.
Breakpoint 0 hit
explore! CTray:v_WndProc + 0xfa6:
00007ff6'01c96a86 84c0 test al, al it is the previous instruction which is important!
Now, how to get le code before this instruction ?
Because it's really the previous code that will tell who and how this byte is changed. Try to deassemble going up in addresses, we quickly found that it is not possible to identify the address of the "jmp" that brought on this "move in 00007ff6'01c96a7f" in my case.
Therefore start from the entrance of the WndProc of a window.
But by looking at the values of the registers and in constant statements following the code launch a "PostMessage", I think that the treatment should not be very long and that may be what would be a response to another message and why "0X5BA" contained in the registers "rbx" and r8.
so we go to the WndProc with:
u explore! CTray::v_WndProc
see the code in the file if you need...
I guess that the msg = 5BA like i see in rbx and r8 at the time of the "BA" breakpoint
I need to get the good address :
00007ff6`01c95ef6 0fb68402e0700400 movzx eax,byte ptr [rdx+rax+470E0h]
00007ff6`01c95efe 8b8c8228700400 mov ecx,dword ptr [rdx+rax*4+47028h]
00007ff6`01c95f05 4803ca add rcx,rdx
00007ff6`01c95f08 ffe1 jmp rcx
rax = 0x5BA -0x551 = 0x69
rdx = 00007ff6'01c50000? the charging base of the prg according to the logic of loading to a prg in PE format
byte * ptr = [rdx + rax + 470E0h] = 00007ff6'01c50000 + 0x69 + 0x470E0 = 00007ff6'01c97149 = 0x1B
0:010 d 00007ff6'01c97149
00007ff6'01c97149 1b 1c 2d 1d 1e 1f 2d 20-21 22 23 24 25 26 27 2d... -...- !" #$%&'-
DWORD * ecx = [rdx + rax * 4 + 47028 h] = 00007ff6'01c50000 + (0x1B * 4) + 0 x 47028 = 00007ff6'01c97094
0:010 d 00007ff6'01c97094
00007ff6'01c97094 74 6a 04 00 e0 65 04 00-45 6a 04 00 63 04 00 tj b9 e... EJ... c...
74 6a 04 00 in memory = 0004674 in address
rcx = 00007ff6'01c50000 + 0x00046A74 = 00007ff6'01c96a74
And jmp rcx !
And there's the code in 00007ff6'01c96a86 at the breakpoint
0:010> u 00007ff6`01c96a74
00007ff6`01c96a74 397d88 cmp dword ptr [rbp-78h],edi
00007ff6`01c96a77 0f8526660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x15123 (00007ff6`01d0d0a3)
00007ff6`01c96a7d 8bc7 mov eax,edi
00007ff6`01c96a7f 418887f9020000 mov byte ptr [r15+2F9h],al >>>>>>>>>>>>>>>>> on retrouve bien l'adresse du ba
00007ff6`01c96a86 84c0 test al,al
00007ff6`01c96a88 0f851f660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a8e 4138bff8020000 cmp byte ptr [r15+2F8h],dil
00007ff6`01c96a95 0f8512660700 jne explorer!`TileBadgeProviderLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1512d (00007ff6`01d0d0ad)
00007ff6`01c96a9b 440fb6c0 movzx r8d,al
00007ff6`01c96a9f 4533c9 xor r9d,r9d
00007ff6`01c96aa2 ba0c040000 mov edx,40Ch
00007ff6`01c96aa7 498b8fa0000000 mov rcx,qword ptr [r15+0A0h] DESTINATAIRE INCONNU unknow dest but but but .....
00007ff6`01c96aae ff15c4431800 call qword ptr [explorer!_imp_SendMessageW (00007ff6`01e1ae78)]
00007ff6`01c96ab4 e918f3ffff jmp explorer!CTray::v_WndProc+0x2f1 (00007ff6`01c95dd1)
someone sends the message 0x5BA with Wparam = 0 and lParam = 0 at the window "Shell_TrayWnd"
The final test: winpe into this piece of PS
public class Win32_API_Class
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(IntPtr parentHandle, IntPtr childAfter, string className, string windowTitle);
public static extern int SendMessage(int hWnd, int hMsg, int wParam, int lParam);
add-type -TypeDefinition $code
$handle = [Win32_API.Win32_API_Class]::FindWindow("Shell_TrayWnd", "");
$iRet = [Win32_API.Win32_API_Class]::SendMessage($handle, 0x5BA, 0, 0);
Et Bingo !
It would be interesting to know who is the sender of this message 5BA.
Is it a method without windbg?